2016-10-15 19:57:54 +02:00
<!DOCTYPE html>
< html lang = "fr" dir = "ltr" >
< head >
< meta http-equiv = "content-type" content = "text/html; charset=UTF-8" >
< meta charset = "utf-8" / >
2017-02-07 17:35:26 +01:00
< title > documentation:2.0:kerberos< / title > <!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else --><!-- //endif -->
2016-10-15 19:57:54 +02:00
< meta name = "generator" content = "DokuWiki" / >
2017-08-30 18:47:26 +02:00
< meta name = "robots" content = "index,follow" / >
2016-10-15 19:57:54 +02:00
< meta name = "keywords" content = "documentation,2.0,kerberos" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "kerberos.html" / >
< link rel = "contents" href = "kerberos.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
2017-02-07 17:35:26 +01:00
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
2016-10-15 19:57:54 +02:00
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : k e r b e r o s " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
2017-02-07 17:35:26 +01:00
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script > <!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script > <!-- //endif --> <!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
2017-02-07 17:35:26 +01:00
//else -->
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script > <!-- //endif -->
2017-02-07 17:35:26 +01:00
2016-10-15 19:57:54 +02:00
< / head >
< body >
< div class = "dokuwiki export container" > <!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#presentation" > Présentation< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#prerequisites" > Pré-requis< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#example_values" > Valeurs d'exemple< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#server_time" > Horloge des serveurs< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#dns" > DNS< / a > < / div > < / li >
2018-02-21 22:17:33 +01:00
< li class = "level2" > < div class = "li" > < a href = "#ssl" > SSL< / a > < / div > < / li >
2016-10-15 19:57:54 +02:00
< li class = "level2" > < div class = "li" > < a href = "#web_browser_configuration" > Configuration du navigateur web< / a > < / div >
< ul class = "toc" >
< li class = "level3" > < div class = "li" > < a href = "#firefox" > Firefox< / a > < / div > < / li >
< li class = "level3" > < div class = "li" > < a href = "#internet_explorer" > Internet Explorer< / a > < / div > < / li >
< / ul >
< / li >
< / ul >
< / li >
2018-02-21 22:17:33 +01:00
< li class = "level1" > < div class = "li" > < a href = "#single_ad_domain" > Single AD domain< / a > < / div >
2016-10-15 19:57:54 +02:00
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#client_kerberos_configuration" > Configuration du client Kerberos< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#obtain_keytab_file" > Obtenir un fichier table de clef< / a > < / div > < / li >
< / ul >
< / li >
2018-02-21 22:17:33 +01:00
< li class = "level1" > < div class = "li" > < a href = "#multiple_ad_domains" > Multiple AD domains< / a > < / div >
2016-10-15 19:57:54 +02:00
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#client_kerberos_configuration1" > Configuration du client Kerberos< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#obtain_keytab_file1" > Obtenir un fichier table de clef< / a > < / div > < / li >
< / ul >
< / li >
2017-02-07 17:35:26 +01:00
< li class = "level1" > < div class = "li" > < a href = "#other_resources" > Autres documents< / a > < / div > < / li >
2016-10-15 19:57:54 +02:00
< / ul >
< / div >
< / div > <!-- TOC END -->
< h1 class = "sectionedit1" id = "kerberos" > Kerberos< / h1 >
< div class = "level1" >
< / div > <!-- EDIT1 SECTION "Kerberos" [1 - 24] -->
< h2 class = "sectionedit2" id = "presentation" > Présentation< / h2 >
< div class = "level2" >
< p >
2018-02-21 22:17:33 +01:00
This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication for one or multiple AD domains.
2016-10-15 19:57:54 +02:00
< / p >
< p >
2018-02-21 22:17:33 +01:00
You can use Kerberos in < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > with the following authentication modules:
2016-10-15 19:57:54 +02:00
< / p >
< ul >
2018-02-21 22:17:33 +01:00
< li class = "level1" > < div class = "li" > < a href = "authkerberos.html" class = "wikilink1" title = "documentation:2.0:authkerberos" > Kerberos< / a > (recommended): use Perl GSSAPI module, compatible with Apache and Nginx< / div >
2016-10-15 19:57:54 +02:00
< / li >
2018-02-21 22:17:33 +01:00
< li class = "level1" > < div class = "li" > < a href = "authapache.html" class = "wikilink1" title = "documentation:2.0:authapache" > Apache< / a > : use mod_auth_kerb or mod_auth_gssapi in Apache< / div >
2016-10-15 19:57:54 +02:00
< / li >
< / ul >
2018-02-21 22:17:33 +01:00
< / div > <!-- EDIT2 SECTION "Presentation" [25 - 454] -->
2016-10-15 19:57:54 +02:00
< h2 class = "sectionedit3" id = "prerequisites" > Pré-requis< / h2 >
< div class = "level2" >
2018-02-21 22:17:33 +01:00
< / div > <!-- EDIT3 SECTION "Prerequisites" [455 - 481] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit4" id = "example_values" > Valeurs d'exemple< / h3 >
< div class = "level3" >
< p >
Nous utilisons les valeurs suivantes dans nos exemples
< / p >
< ul >
< li class = "level1" > < div class = "li" > < strong > EXAMPLE.COM< / strong > : premier domaine AD< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > ACME.COM< / strong > : second domaine AD< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > auth.example.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > du portail < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > < / div >
< / li >
2018-02-21 22:17:33 +01:00
< li class = "level1" > < div class = "li" > < strong > KERB_AUTH< / strong > : AD account to generate the keytab for < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server< / div >
2016-10-15 19:57:54 +02:00
< / li >
< / ul >
2018-02-21 22:17:33 +01:00
< / div > <!-- EDIT4 SECTION "Example values" [482 - 751] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit5" id = "server_time" > Horloge des serveurs< / h3 >
< div class = "level3" >
< p >
Il est impératif que les serveurs < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > et AD soient à la même heure. Il est recommandé d'utilisé NTP à cet effet.
< / p >
2018-02-21 22:17:33 +01:00
< / div > <!-- EDIT5 SECTION "Server time" [752 - 887] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit6" id = "dns" > DNS< / h3 >
< div class = "level3" >
< p >
2018-02-21 22:17:33 +01:00
The auth.example.com must be registered in the < abbr title = "Domain Name System" > DNS< / abbr > server (which is Active Directory). The reverse < abbr title = "Domain Name System" > DNS< / abbr > of auth.example.com < strong > must< / strong > return the portal < abbr title = "Internet Protocol" > IP< / abbr > .
2016-10-15 19:57:54 +02:00
< / p >
2018-02-21 22:17:33 +01:00
< div class = "notetip" > If you have a < abbr title = "Authentification unique (Single Sign On)" > SSO< / abbr > cluster, you must setup a Virtual < abbr title = "Internet Protocol" > IP< / abbr > in cluster and register this < abbr title = "Internet Protocol" > IP< / abbr > in < abbr title = "Domain Name System" > DNS< / abbr > .
2016-10-15 19:57:54 +02:00
2018-02-21 22:17:33 +01:00
< / div >
< / div > <!-- EDIT6 SECTION "DNS" [888 - 1170] -->
2016-10-15 19:57:54 +02:00
2018-02-21 22:17:33 +01:00
< h3 class = "sectionedit7" id = "ssl" > SSL< / h3 >
2016-10-15 19:57:54 +02:00
< div class = "level3" >
< p >
2018-02-21 22:17:33 +01:00
SSL is not mandatory, but it is strongly recommended. Your portal < abbr title = "Uniform Resource Locator" > URL< / abbr > should be < a href = "https://auth.example.com" class = "urlextern" title = "https://auth.example.com" rel = "nofollow" > https://auth.example.com< / a > .
2016-10-15 19:57:54 +02:00
< / p >
2018-02-21 22:17:33 +01:00
< / div > <!-- EDIT7 SECTION "SSL" [1171 - 1292] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit8" id = "web_browser_configuration" > Configuration du navigateur web< / h3 >
< div class = "level3" >
< / div >
< h4 id = "firefox" > Firefox< / h4 >
< div class = "level4" >
< p >
Aller à < code > about:config< / code > dans un onglet et chercher < code > trusted< / code > . Éditer la propriété < code > network.negotiate-auth.trusted-uris< / code > et la mettre à la valeur < code > example.com< / code > .
< / p >
< / div >
< h4 id = "internet_explorer" > Internet Explorer< / h4 >
< div class = "level4" >
< p >
Ajouter < code > < a href = "https://auth.example.com" class = "urlextern" title = "https://auth.example.com" rel = "nofollow" > https://auth.example.com< / a > < / code > comme site approuvé.
< / p >
< p >
Vérifier dans les paramètres de sécurité que l'authentification Kerberos est autorisée.
< / p >
2018-02-21 22:17:33 +01:00
< / div > <!-- EDIT8 SECTION "Web browser configuration" [1293 - 1652] -->
2016-10-15 19:57:54 +02:00
2018-02-21 22:17:33 +01:00
< h2 class = "sectionedit9" id = "single_ad_domain" > Single AD domain< / h2 >
2016-10-15 19:57:54 +02:00
< div class = "level2" >
2018-02-21 22:17:33 +01:00
< / div > <!-- EDIT9 SECTION "Single AD domain" [1653 - 1682] -->
2016-10-15 19:57:54 +02:00
2018-02-21 22:17:33 +01:00
< h3 class = "sectionedit10" id = "client_kerberos_configuration" > Configuration du client Kerberos< / h3 >
2016-10-15 19:57:54 +02:00
< div class = "level3" >
< p >
Sur le serveur < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > , éditer < code > /etc/krb5.conf< / code > :
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [< / span > libdefaults< span class = "br0" > ]< / span > < / span >
< span class = "re1" > default_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
< span class = "re1" > dns_lookup_kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > false< / span >
< span class = "re1" > dns_lookup_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > no< / span >
< span class = "re1" > ticket_lifetime< / span > < span class = "sy0" > =< / span > < span class = "re2" > 24h< / span >
< span class = "re1" > forwardable< / span > < span class = "sy0" > =< / span > < span class = "re2" > yes< / span >
< span class = "re1" > renewable< / span > < span class = "sy0" > =< / span > < span class = "re2" > true< / span >
< span class = "re0" > < span class = "br0" > [< / span > realms< span class = "br0" > ]< / span > < / span >
EXAMPLE.COM < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > {< / span > < / span >
< span class = "re1" > kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "re1" > admin_server< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "br0" > }< / span >
< span class = "re0" > < span class = "br0" > [< / span > domain_realm< span class = "br0" > ]< / span > < / span >
.example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span > < / pre >
< p >
On peut vérifier que Kerberos fonctionne en essayant d'obtenir un ticket pour un utilisateur du domaine (par exemple coudot) :
< / p >
< pre class = "code" > kinit coudot@EXAMPLE.COM< / pre >
< p >
Un mot-de-passe peut être demandé. Lister ensuite les tickets :
< / p >
< pre class = "code" > klist -e< / pre >
< p >
On doit trouver un ticket krbtgt :
< / p >
< pre class = "code" > Valid starting Expires Service principal
06/04/15 15:43:24 06/05/15 01:43:29 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/05/15 15:43:24, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96< / pre >
< p >
On peut alors fermer la sessions Kerberos :
< / p >
< pre class = "code" > kdestroy< / pre >
2018-02-21 22:17:33 +01:00
< / div > <!-- EDIT10 SECTION "Client Kerberos configuration" [1683 - 2684] -->
2016-10-15 19:57:54 +02:00
2018-02-21 22:17:33 +01:00
< h3 class = "sectionedit11" id = "obtain_keytab_file" > Obtenir un fichier table de clef< / h3 >
2016-10-15 19:57:54 +02:00
< div class = "level3" >
< p >
Il faut lancer cette commande dans Active Directory:
< / p >
< pre class = "code" > ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser KERB_AUTH@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass < PASSWORD> -out c:\auth.keytab< / pre >
< div class = "noteimportant" > Les valeurs passées dans -crypto et -ptype dépendent de la version d'Active Directory et de celle des stations de travail. On peut par exemple utiliser RC4-HMAC-NT comme protocole de chiffrement si DES n'est pas supporté par les stations de travail (c'est le cas par défaut sur Window 8 par exemple).
< / div >
< p >
Le fichier < code > auth.keytab< / code > doit ensuite être copié (par un média sûr) sur le serveur Linux (par exemple dans < code > /etc/lemonldap-ng< / code > ).
< / p >
< p >
Changer les droits sur le fichier keytab :
< / p >
< pre class = "code" > chown apache /etc/lemonldap-ng/auth.keytab
chmod 600 /etc/lemonldap-ng/auth.keytab< / pre >
< p >
On peut vérifier la validité du fichier table de clefs en essayant de demander un ticket de service, et en le comparant au contenu de la table de clefs.
< / p >
< p >
Ouvrir une session Kerberos (comme effectué dans l'étape précédente) :
< / p >
< pre class = "code" > kinit coudot@example.com< / pre >
< p >
Demander un ticket de service :
< / p >
< pre class = "code" > kvno HTTP/auth.example.com@EXAMPLE.COM< / pre >
< p >
Le résultat de la commande doit être :
< / p >
< pre class = "code" > HTTP/auth.example.com@EXAMPLE.COM: kvno = 3< / pre >
< p >
Lire le ticket de service :
< / p >
< pre class = "code" > klist -e< / pre >
< p >
On doit trouver un ticket de ce genre :
< / p >
< pre class = "code" > 06/04/15 16:28:49 06/05/15 02:28:11 HTTP/auth.example.com@EXAMPLE.COM
renew until 06/05/15 16:28:07, Etype (skey, tkt): arcfour-hmac, arcfour-hmac< / pre >
< p >
La session Kerberos peut être fermée :
< / p >
< pre class = "code" > kdestroy< / pre >
< p >
Comparer maintenant le résultat ci-dessus avec la même requête effectuée au travers de la table de clefs :
< / p >
< pre class = "code" > klist -e -k -t /etc/lemonldap-ng/auth.keytab< / pre >
< p >
Le résultat de la commande doit être :
< / p >
< pre class = "code" > Keytab name: FILE:/etc/lemonldap-ng/auth.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/01/70 01:00:00 HTTP/auth.example.com@EXAMPLE.COM (arcfour-hmac)< / pre >
< p >
Les points importants à vérifier sont :
< / p >
< ul >
< li class = "level1" > < div class = "li" > KVNO doit être identique< / div >
< / li >
< li class = "level1" > < div class = "li" > Principal names doit identique< / div >
< / li >
< li class = "level1" > < div class = "li" > Encryption types doit être identique< / div >
< / li >
< / ul >
2018-02-21 22:17:33 +01:00
< / div > <!-- EDIT11 SECTION "Obtain keytab file" [2685 - 4814] -->
2016-10-15 19:57:54 +02:00
2018-02-21 22:17:33 +01:00
< h2 class = "sectionedit12" id = "multiple_ad_domains" > Multiple AD domains< / h2 >
2016-10-15 19:57:54 +02:00
< div class = "level2" >
2018-02-21 22:17:33 +01:00
< / div > <!-- EDIT12 SECTION "Multiple AD domains" [4815 - 4847] -->
2016-10-15 19:57:54 +02:00
2018-02-21 22:17:33 +01:00
< h3 class = "sectionedit13" id = "client_kerberos_configuration1" > Configuration du client Kerberos< / h3 >
2016-10-15 19:57:54 +02:00
< div class = "level3" >
< p >
Les deux domaines doivent être définis dans < code > /etc/krb5.conf< / code > :
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [< / span > libdefaults< span class = "br0" > ]< / span > < / span >
< span class = "re1" > default_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
< span class = "re1" > dns_lookup_kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > false< / span >
< span class = "re1" > dns_lookup_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > no< / span >
< span class = "re1" > ticket_lifetime< / span > < span class = "sy0" > =< / span > < span class = "re2" > 24h< / span >
< span class = "re1" > forwardable< / span > < span class = "sy0" > =< / span > < span class = "re2" > yes< / span >
< span class = "re1" > renewable< / span > < span class = "sy0" > =< / span > < span class = "re2" > true< / span >
< span class = "re0" > < span class = "br0" > [< / span > realms< span class = "br0" > ]< / span > < / span >
EXAMPLE.COM < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > {< / span > < / span >
< span class = "re1" > kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "re1" > admin_server< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "re1" > default_domain< / span > < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
< span class = "br0" > }< / span >
ACME.COM < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > {< / span > < / span >
< span class = "re1" > kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.acme.com< / span >
< span class = "re1" > admin_server< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.acme.com< / span >
< span class = "br0" > }< / span >
< span class = "re0" > < span class = "br0" > [< / span > domain_realm< span class = "br0" > ]< / span > < / span >
.example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
.acme.com < span class = "sy0" > =< / span > < span class = "re2" > ACME.COM< / span >
acme.com < span class = "sy0" > =< / span > < span class = "re2" > ACME.COM< / span > < / pre >
< p >
On doit pouvoir ouvrir une session Kerberos dans chaque domaine :
< / p >
< pre class = "code" > kinit coudot@EXAMPLE.COM
klist -e
kdestroy< / pre >
< pre class = "code" > kinit coudot@ACME.COM
klist -e
kdestroy< / pre >
2018-02-21 22:17:33 +01:00
< / div > <!-- EDIT13 SECTION "Client Kerberos configuration" [4848 - 5592] -->
2016-10-15 19:57:54 +02:00
2018-02-21 22:17:33 +01:00
< h3 class = "sectionedit14" id = "obtain_keytab_file1" > Obtenir un fichier table de clef< / h3 >
2016-10-15 19:57:54 +02:00
< div class = "level3" >
< p >
Il faut obtenir une table de clefs pour chaque nœud dans chaque domaine. Ce qui signifie que la commande ktpass doit être lancée dans les deux AD.
< / p >
< p >
On a donc 2 tables de clefs pour chaque nœud, par exemple :
< / p >
< ul >
< li class = "level1" > < div class = "li" > node1-example.keytab< / div >
< / li >
< li class = "level1" > < div class = "li" > node1-acme.keytab< / div >
< / li >
< / ul >
< p >
Il faut concaténer les 2 fichiers, merci à la commande < code > ktutil< / code > :
< / p >
< pre class = "code" > ktutil
ktutil: read_kt node1-example.keytab
ktutil: read_kt node1-acme.keytab
ktutil: write_kt /etc/lemonldap-ng/auth.keytab
ktutil: quit< / pre >
< p >
On peut ensuite effacer les tables de clefs originales et protéger la table de clefs finale :
< / p >
< pre class = "code" > chown apache /etc/lemonldap-ng/auth.keytab
chmod 600 /etc/lemonldap-ng/auth.keytab< / pre >
2018-02-21 22:17:33 +01:00
< / div > <!-- EDIT14 SECTION "Obtain keytab file" [5593 - 6254] -->
2016-10-15 19:57:54 +02:00
2018-02-21 22:17:33 +01:00
< h2 class = "sectionedit15" id = "other_resources" > Autres documents< / h2 >
2016-10-15 19:57:54 +02:00
< div class = "level2" >
< p >
Pour en savoir plus :
< / p >
< ul >
< li class = "level1" > < div class = "li" > < a href = "http://modauthkerb.sourceforge.net/configure.html" class = "urlextern" title = "http://modauthkerb.sourceforge.net/configure.html" rel = "nofollow" > http://modauthkerb.sourceforge.net/configure.html< / a > < / div >
< / li >
< li class = "level1" > < div class = "li" > < a href = "http://www.grolmsnet.de/kerbtut/" class = "urlextern" title = "http://www.grolmsnet.de/kerbtut/" rel = "nofollow" > http://www.grolmsnet.de/kerbtut/< / a > < / div >
< / li >
< / ul >
2018-02-21 22:17:33 +01:00
< / div > <!-- EDIT15 SECTION "Other resources" [6255 - ] -->
2016-10-15 19:57:54 +02:00
< / div >
< / body >
< / html >